Hack Tibet

Welcome to Dharamsala, ground zero in China's cyberwar.

DHARAMSALA, India — Lobsang Gyatso Sither sits at the front of a Tibetan school auditorium, the bright rectangle of his PowerPoint presentation dimly illuminating the first few rows of students before him. "Never open attachments unless you are expecting them," Sither says. The students nod. A portrait of the Dalai Lama hangs above the stage, framed by flickering electronic candles; a stray dog ambles behind the crowd. "Never give anyone else your passwords," Sither says, clicking to a new slide, which explains the dangers of using an unfamiliar thumb drive. "The Chinese government or others could take control of your computer."

Welcome to Dharamsala, population 20,000 and one of the most hacked places in the world. This small city in India’s lush Himalayan foothills is home to the Dalai Lama, the exiled Tibetan spiritual leader; the Central Tibetan Administration, or CTA (formerly called the Tibetan government in exile); and a host of Tibetan media outlets and nongovernmental organizations, some of which the Chinese government classifies as terrorist groups. The Dalai Lama fled here in 1959 after communist troops violently suppressed an uprising in Lhasa, now the capital of western China’s Tibetan Autonomous Region. India embraced the Dalai Lama as a token of religious diversity, and tens of thousands of refugees followed suit. About 130,000 Tibetans live in exile, according to a 2009 census; Dharamsala is the closest thing they have to a political capital.

The city has an ancient feel. Homes cling to precipitous mountain roads that weave through dense cedar forests; macaque monkeys prance among the rooftops. Yet it is changing, moving cautiously into the future. Computers have become ubiquitous. Roadside cafes offer double espressos and wireless Internet (common passwords include "FreeTibet" and "Independence"). Young Tibetans are snapping up iPhones, which, unlike competing devices, offer the option of a Tibetan-language keyboard.

Communication between the city’s Tibetan community and Tibet itself is easier than it has ever been. Yet the risk of dialing home has never been greater. "If we don’t use secure lines of communication, Tibetans in Tibet could be prosecuted" for sending sensitive information abroad, says Sither, a field coordinator for the Tibet Action Institute, a New York-based nonprofit that sponsors education initiatives and trains activists on secure communications systems.

The Chinese government is everywhere and nowhere in Dharamsala, planting malware and intercepting messages in ways that are nearly undetectable and difficult to trace. The CTA’s Chinese-language website was hacked in August. Everyone within the Tibetan community is a target, from the Dalai Lama’s advisors to any smartphone-wielding refugee.

In early November, Tibet’s Communist Party chief, Chen Quanguo, proposed a raft of measures to stamp out the Dalai Lama’s voice in Tibet, including clamping down on online communications. "Work hard to ensure … that the voice and image of the enemy forces and the Dalai clique are neither seen nor heard," he wrote in Qiushi, a leading party journal.

A brutal, centuries-old form of protest has caught fire in Tibet, and Beijing is resorting to tactics both heavy-handed and high-tech to quell the unrest. Since February 2009, at least 120 Tibetans in the Himalayan region have self-immolated to protest Chinese rule — men and women, old and young, monks and lay people. Chinese authorities have responded violently, deploying troops, cutting phone lines, and forcing monks to undergo draconian "patriotic education" programs. They blame "hostile foreign forces" for inciting the immolations — mainly from Dharamsala, where advocacy groups gather information about the fiery protests and distribute that information abroad. Experts say that the hacks may be part of an elaborate campaign to identify possible protests and preempt them.

Few cyberattacks on Dharamsala are strategically tailored to monitor or control the city’s network infrastructure, say experts. The most common attacks are spearphishing attempts: Tibetans, especially those working for the CTA or pro-independence organizations, say they frequently receive strange emails purporting to be from friends or associates. They often contain attachments that, once downloaded, infect the user’s computer with malware, allowing a hacker to operate the system remotely. The computer essentially becomes shared; keystrokes are recorded, passwords saved, contacts downloaded. Everything is compromised.

Kelsang Aukatsang, a former advisor to the Tibetan prime minister in exile, remembers the shock of realizing that he’d been hacked. In July 2012, Aukatsang sent an email to a U.S. senator to arrange a meeting for the prime minister, Lobsang Sangay. The following morning, the senator received a surprise call from the Chinese Embassy in Washington, urging her not to attend. The meeting ultimately proceeded as planned. "But the bigger point is that they knew — that exchange got intercepted," Aukatsang said. "You wonder what more you can do to feel safe. There’s a real sense of being at risk, of being watched."

MORE THAN HALF THE CTA’S COMPUTERS contain some sort of malware, estimates the government in exile’s press officer, Tsering Wangchuk. "Most of the key computers in our city, in Dharamsala, are in some way compromised," he says. The administration’s technical staff of 13 spends much of its time simply trawling through hard disks, finding and eliminating malicious code. "They go after us all the time, diligently," said another administration employee who requested anonymity. "If with every 100,000 attempts they have one success, they use that one success to exploit everything that they can."

Cybersecurity experts call this "advanced persistent threat" (APT) — a constant onslaught of targeted attacks requiring resources that are normally unavailable to individual hackers. "Dharamsala is ground zero for advanced persistent threat, really," says Greg Walton, a doctoral candidate at Oxford University’s Center for Doctoral Training in Cyber Security. Walton traveled to Dharamsala in 2008 to help the Dalai Lama’s private office better understand what, and who, had been compromising its systems. His team discovered that the most likely culprit was a shadowy hacker group responsible for a series of network intrusions that American investigators had dubbed "Byzantine Hades." The group, according to U.S. State Department cables released by WikiLeaks, had ties to a unit of the People’s Liberation Army, China’s military, based in the southwestern Chinese city of Chengdu.

Many Dharamsala-based Tibetan NGOs, Walton says, have been attacked by groups that are better known for infiltrating Western corporations, military contractors, and government agencies. One, dubbed "APT1" by cybersecurity firm Mandiant, is an elite cyber-espionage outfit affiliated with the Chinese military. Another group is a corporate espionage unit that allegedly stole secret documents and formulas from major global chemical companies in 2011 in an attack campaign dubbed "Nitro" by computer security firm Symantec. "In the most pessimistic light, there’s very little that the Tibetans can do in exile, because they’re so underresourced," says Walton. "If you have a situation where the State Department or the Pentagon is being compromised by the same groups, what hope do refugees in the foothills of the Himalayas have to deal with that problem?" He describes China’s APT strategy as gathering "a thousand grains of sand," hoping that some piece of information, no matter how small, will bear strategic value.

PERHAPS AN EVEN MORE PERNICIOUS THREAT to Tibetan cybersecurity is WeChat, a Chinese smartphone app that combines features from In
stagram, Skype, and Facebook. The program has more than 500 million users, with 100 million of them outside China; its popularity has exploded in Dharamsala over the past few years as an easy way for refugees to contact relatives back home. "All of my friends here use WeChat," says Tashi Nangyal, a 22-year-old Tibetan refugee who fled to India on foot across the Himalayas. "Since Tibetans inside Tibet are all using WeChat, we don’t think of using any alternatives."

The program was developed by Tencent, a Shenzhen-based Internet empire that, like all major Chinese Internet companies, is rumored to enjoy close ties to the country’s leadership. "From Tibetan civil society’s point of view, WeChat is itself malware — it’s malicious," says Walton. "All of the traffic is being channeled through Shanghai. It’s presumably being piped into China’s equivalent of PRISM," he adds, referring to the U.S. National Security Agency’s top-secret surveillance program, which was exposed by leaker Edward Snowden. Advocacy groups reported this summer that two monks in Tibetan areas of China were arrested after posting pictures of self-immolation protests to WeChat. One received a six-year prison sentence; the other will likely spend the rest of his life in jail. Tencent did not reply to a request for comment.

In recent years, short stints in Dharamsala have become a popular way for security experts to analyze little-known cyberattacks, says Shishir Nagaraja, a computer scientist at the University of Birmingham who has also aided the Dalai Lama’s private office. "You don’t have to pay people for this stuff. Some of the brightest minds at Cambridge will be more than happy to contribute to securing the Tibetans’ Internet freedom rights," he says. Many are young, left-leaning idealists who are attracted by the novelty of the job. Yet "it’s a very temporary arrangement," he said. Most stay for only two or three years, while China’s hacking never ends.

"We are very vulnerable," says Tenzin Paldon, the Dharamsala-based editor in chief of Voice of Tibet, a radio station that broadcasts Tibet news into China via shortwave radio. Paldon’s personal email account has been hacked; the broadcaster’s website has been crippled repeatedly. Yet Paldon refuses to be cowed. If Tibetans continue to self-immolate, she says, she will continue to report their stories. "I think it’s our duty to spread the word about what these people did, and why they’re doing it, to the outside world."

Meanwhile, Dharamsala’s Tibetan community has formed an incipient defense. In March, cyberactivists launched a secure Tibetan-language messaging application called YakChat. And the Tibetan government in exile recently procured a grant to lay new cables, update its servers, and train new staff, sources say, though they’re keeping the details under wraps.

"What we’re trying to do now is provide more opportunities for Tibetans themselves to become experts in cybersecurity," says Walton, the Oxford researcher. Many students at the Tibetan Children’s Village, the leafy school campus where Sither gave his presentation, will go on to work in advocacy NGOs; some will join the CTA. Most are learning about cybersecurity for the first time, and experts hope that the lessons will resonate. "It’s a gradual process, teaching people to guard their privacy. The Internet is quite a new thing in their lives," said Phuntsok Dorje, the head of the school’s computer program.

IT’S TWILIGHT BY THE TIME SITHER FINISHES his PowerPoint presentation, and the students file out of the auditorium and into the cool, damp air of the rainy season. Nangyal, the 22-year-old refugee, says that students are not allowed to keep phones on campus and that he can only contact his family on holidays. The assembly has made him reflective. "I used to talk about His Holiness the Dalai Lama on WeChat," he says, his brow furrowed. I ask him whether he now understands that the Chinese may be listening in. Maybe he’ll download a Korean messaging app, he offers, to make his communications less traceable. Or maybe, from now on, he’ll just be more careful about what he says.